Iran-Linked Botnet Helps Drive Cyber-Attacks Against Israel Up By 500%

A cartoon by Carlos Latuff representing the on-going cyber war being waged between Israel and hacktivists like Anonymous.Carlos Latuff

Cyber-attacks against Israel have increased 500% in the last month with a new report suggesting a powerful botnet controlled by an pro-Islamic Iranian group of hackers being used as part of an Anonymous-backed cyber-campaign.

This week Arbor Network's ASERT team published research looking at the dramatic increase in distributed denial of service (DDoS) attacks against Israel, which went from an average of 30 attacks per day in June to 150 attacks per day in July - a 500% increase.

The increase in attacks coincided with the launch of Israel's Operation Protective Edge offensive against Gaza.

Following three weeks of intensive attacks on the ground and in cyberspace, the volume of DDoS attacks decreased on 27 July coinciding with a temporary ceasefire in fighting between Israel and Gaza.

"It appears as if the attackers have made an effort to adhere to the "real world" calls for a cease-fire, resuming their attacks when the cease fire fell through," Kirk Soluk from Arbor Networks said.

Volume and duration increase

DDoS attacks see the servers hosting websites flooded with traffic and being knocked offline as they cannot cope under the sudden surge of network activity.

As well as the number of attacks increasing against Israel, Arbor Networks recorded the volume of attacks also increased dramatically. The largest attack in June was less than 12 gigabits of traffic per second (Gbps), while in July seven separate attacks surpassed this level, with a peak of 29Gbps observed on 3 August.

The attacks also lasted longer in July with an average duration of 1 hour and 40 minutes, compared to just 20 minutes in June with one attack that began on 19 July still unmitigated two weeks later.

"In summary, as the intensity of the Israeli-Hamas conflict has increased, so has the number, size and duration of the DDoS attacks targeting Israel," Soluk said.

So who is behind these attacks?

Hacktivists have led a vocal and public campaign in support of the people of Gaza, under the #OpSaveGaza banner, which was launched on the eve of the start of Operation Protective Edge by a group of hackers called AnonGhost Team.

Since then thousands of Israeli government and civilian websites have been knocked offline and the campaign has been backed by the well-known Anonymous hacktivist group, which has been urging all members to take part in the DDoS attacks to knock the websites offline.

The Anonymous mask allegedly worn by Tayeb Abu Shehada when he was shot in the West Bank by an Israeli soldier.

The attack intensified when a member of Anonymous was shot dead by an Israeli soldier in the West Bank. 22-year-old Tayeb Abu Shehada was killed in the village of Huwwara near Nablus on 25 July while wearing the iconic Guy Fawkes mask (above) which is a symbol of the Anonymous movement.

While Arbor says the majority of the DDoS attacks it has seen were carried out using reflection/amplification techniques which could have been carried out by Anonymous hacktivists, it has also observed a much more interesting technique being used.

Qassam Cyber Fighters and Brobot

Arbor says the attack method (which uses things such as "malformed DNS queries", "layer-7 HTTP and HTTP/S attacks", and "repeated page downloads and GETs/POSTs against non-existent URIs") bears a "striking resemblance to the Brobot-based attacks" first seen in 2012, but which have been silent for almost a year.

Brobot is a powerful botnet (network of zombie computers) which was first used in 2012 as part of Operation Ababil, which was a series of cyber-attacks carried out by the Qassam Cyber Fighters (also known as the Cyber fighters of Izz Ad-Din Al Qassam) against US financial institutions and continued until July 2013

The attacks stopped suddenly and the Brobot network disappeared off the map.

The Qassam Cyber Fighters (QFC) group was initially branded a hacktivist group, but some (including US senator Joseph Lieberman) claimed it had links to the Iranian government, with security experts adding that the size of the attacks - up to 65Gbps - were typical of attacks from a state actor.

Back online

After going quiet in July 2013, Brobot was next seen in February this year when web hosting company Akamai revealed that it was used to successfully attack an unnamed US bank - but this time the QFC were not behind the attack.

On 30 June the botnet was seen again with DOSarrest Internet Security reporting it was used in an attack on a large Middle Eastern news outlet after it published accounts of the recent march of the Islamic State (formerly known as ISIS).

Once again, no one could identify who was behind the attack, though a spokesperson for DOSarrest Internet Security told Forbes that "all he knows is that it is most probably being controlled by someone in America, who clearly does not like to see groups like ISIS disparaged."

Now, Arbor Networks claim the botnet is being used against Isreali websites at a time when Anonymous is carrying out a high-profile campaign against the country.

Jester

However, this is not the first time that the hacktivist group has been linked to the QFC and indireclty to the Brobot bothet.

Back in September 2012, when Operation Ababil was just beginning, the well-known grey hat hacker known as The Jester claimed the hacktivist group Anonymous were providing QFC with the necessary means to distrupt US financial institutions.

Jester claimed the owner of a pay-per-minute DDoS system called Multiboot - which had been used multiple times by Anonymous - had admitted helping QFC in taking down banks like Bank of America, Chase and Wells Fargo.

While there is no direct evidence that Anonymous is now controlling the Brobot botnet, or indeed that it is being given a helping hand in the #OpSaveGaza campaign by whoever is controlling it, it is clear from Arbor's research that someone is using it to attack Israel:

"We don't know who is controlling it, but Brobot is being used to attack Israeli civilian governmental agencies, military agencies, financial services and Israel's cc TLD DNS infrastructure," Soruk said.

As the Israeli-Gaza conflict continues to evolve, it is likely that we will see the cyber-conflict evolve alongside it.